These companies include Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon, Nintendo, Disney, johnson controls and so on, and the list is growing.
Tillie Kottmann, a developer from Switzerland, collected these vulnerabilities through various third-party sources, and he himself found many configuration errors in the DevOps tool, which can be used to access the source code.
The leaked source code is published in an open resource library on GitLab and marked as "exconfidential" and "Confidential &;; Proprietary "(confidential &; Proprietary).
(update: GitLab warehouses have all been deleted, and Kottmann now uses telegram groups to publish this information. )
According to the information provided by Bank Security, a security research institution, the repository contains the source codes of about 50 companies. But some folders are empty and some folders have hard-coded credentials-this is a way to create a back door.
Coatman mentioned that some code bases do have hard-coded credentials, and he deleted them as much as possible before publishing them, "to avoid causing direct harm or contributing to greater damage." In addition, he also admitted that he had not contacted every affected company before the release, but they ensured that they "tried their best to minimize the negative impact".
At present, Kottmann has deleted this code at the request of some enterprises. For example, Daimler AG, the parent company of Mercedes-Benz; Lenovo's folder is also empty. Coatman expressed his willingness to comply with the company's request to delete the code, and provided information "to help the company enhance the security of its infrastructure".
In fact, judging from the number of notifications received from DMCA (estimated to be at most seven) and the contact of legal representatives, many companies are still unaware of the code leakage incident. Some companies have no intention to delete the code, and some even think it is "very interesting", just want to know how Kottmann got the code.
Some of the leaked codes have already been publicly released by their original developers, or have not been updated and maintained for a long time. Ilia Kolochenko, founder and CEO of ImmuniWeb, a network security company, pointed out that "from a technical point of view, this leak is not very serious ... without daily support and improvement, the source code will depreciate rapidly".
Nevertheless, the cause of such a large-scale leak is still worthy of attention. Many companies use the wrong DevOps tool configuration, which leads to the exposure of source code. Kottmann and his team are exploring the server running sonar cube recently. They found that thousands of companies exposed the source code because they failed to properly protect the installation of sonar cube.
Regarding the act of leaking source code, security expert Jake Moore told Tom's Guide, a technology website, that "losing control of the source code is like giving a bank blueprint to a robber ... the affected website should take protective measures immediately ... If users find that their data has been leaked before the company, it is undoubtedly rubbing salt in the wound".
Based on the legal level, Kolochenko believes that the source code publisher may be sued for copyright infringement or violation of computer laws, but usually large companies will not appeal. They would rather quickly delete the source code from the repository and repair their internal DevOps security processes.
To this end, Kolochenko suggested that "enterprises should modify and continuously monitor DevOps operations and turn them into agile DevSecOps".